Re: Where should Digest go next? from Donald E. Eastlake 3rd on 1996-01-04 (ietf-http-wg@w3.org from January to March 1996)

From: Donald E. Eastlake 3rd <dee@cybercash.com>
Date: Wed, 3 Jan 1996 21:41:29 -0500 (EST)
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960103213640.13025B-100000@cybercash.com>

On Wed, 3 Jan 1996, Larry Masinter wrote:

> I'm just trying to figure out how to deal with 'Digest Authentication'
> in the face of claims that the mechanism has well known holes and
> limitations. Here are the procedural options, as far as I can see
> them:
> 
> 1- Submit as Proposed standard as part of HTTP/1.1
> 2- Submit as Proposed standard as a separate document
> 3- Submit as Informational, as part of HTTP/1.0
> 4- Submit as Informational, as a separate document
> 5- Don't handle as part of IETF
> 
> The problem with options 1 and 2 is whether such Proposed Standards
> would have a chance of actually making it to Standard without change.
> I don't think this will work out: the standards track really does
> require us to propose solutions that don't have major holes, and if
> we're not interested in fixing the known problems, trying to move
> along standards track is inappropriate.

I can't see anything wrong with having a spectrum of solutions that
meet a spectrum of threat environments.  Security need not be
perfect to be useful.

> The problem with option 3 is that it would delay the (already late)
> HTTP/1.0 spec.
> 
> So, I'm leaning toward option 4 or 5. With option 4, it is likely that
> if you submit it in the current form, the IESG would either add or
> require the authors to add appropriate disclaimers as to how Digest
> Authentication might not add significant additional security above and
> beyond Basic Authentication.

Seems only reasonable to tell people what they are getting with an
autentication scheme but the judgement that its effectivley the same
as Basic in strength in only true for cerain threat environments.

> Is this agreeable? I'd like to get the 'Digest Authentication' item
> out of its currently stalled status, and move forward on this one way
> or another.

If you would like standard conformant software to include the feature,
include it in the standard.

Donald
=====================================================================
Donald E. Eastlake 3rd     +1 508-287-4877(tel)     dee@cybercash.com
   318 Acton Street        +1 508-371-7148(fax)     dee@world.std.com
Carlisle, MA 01741 USA     +1 703-620-4200(main office, Reston, VA)

Received on Wednesday, 3 January 1996 18:48:11 UTC